Security

General discussion

Router configuration - ACL issue

Am creating an IP extended ACL on a cisco 1700 series. The ACL is to be applied on Serial0 (WAN interface) and will filter incoming (internet to network) packets for security purposes. Standard ports 25, 80, 110, 443 are permitted, as well as one port for VPN. Specified ports are opened for both TCP and UDP. In addition, "established" connections are also permitted. The problem comes on DNS. Port 53 is supposed to be the standard DNS port - have opened port 53 for UDP and TCP, yet as soon as the filter is applied, no internal machine can do DNS resolution. (Note - DNS server is an external network provider machine.) If I remove the ACL, the "internet comes back on" as one developer stated. Command line DNS also fails, so it is definitely DNS that is dying on the ACL. All statements in the ACL are permits at this point, allowing the implicit Deny any any to cover what I do not manually open. So its not a misconfigured deny statement. No filters are applied to the LAN interface - so they default to permit any any in both directions. There is no outgoing filter on the Wan interface, so it also is permit any any.

All Comments

access-list ### permit udp host "ip.of.name.server" any gt 1023DNS works on UDP. Try opening higer ports from the server...if any security concerns r ther i am not sure any other way around..may be some of our sec gurus can help more....thxSrik

Start or search

Create a new discussion

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

Post type

Subject title

Topic Tags

Select up to 3 tags (1 tag required)

Cloud

Piracy

Security

Apple

Microsoft

IT Employment

Google

Open Source

Mobility

Social Enterprise

Community

Smartphones

Operating Systems

Windows

Mac

Malware

Tablets

Networking

Browser

Hardware

Software

Web Developerment

Linux

Off Topic

Message Body

Track this discussion and email me when there are updates

Please note: Do not post advertisements, offensive material, profanity, or personal attacks. Please remember to be considerate of other members. If you're new to the TechRepublic Forums, please read our TechRepublic Forums FAQ. All submitted content is subject to our Terms Of Use.